Network ACL for two specific ports

Similar Messages

• Problem creating Network ACL for a ROLE in Oracle 11gR2

  According to Oracle Documentation when you create a new Network ACL you can add privileges to a user or role.  I need to create a new ACL for the UTL_SMTP package for a specific role, but when I granted it the users who have that role are still getting the "ORA-24247: network access denied by access control list (ACL)" error when they try to send an email.  If I grant the ACL privilege to the same users directly it works fine.  Is there any step I'm missing?  This is the test I have made on my Solaris 10 - Oracle 11gR2 (11.2.0.3) Standard Edition server:
  SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 21 09:31:52 2013
  Copyright (c) 1982, 2010, Oracle.  All rights reserved.
  SQL> CONNECT system/******@testdb
  Connected.
  SQL> SET LINES 1000
  SQL> SELECT * FROM v$version;
  BANNER
  Oracle Database 11g Release 11.2.0.3.0 - 64bit Production
  PL/SQL Release 11.2.0.3.0 - Production
  CORE    11.2.0.3.0      Production
  TNS for Solaris: Version 11.2.0.3.0 - Production
  NLSRTL Version 11.2.0.3.0 - Production
  SQL> COLUMN host FORMAT A20
  SQL> COLUMN lower_port FORMAT 99999
  SQL> COLUMN upper_port FORMAT 99999
  SQL> COLUMN acl FORMAT A40
  SQL> COLUMN acl FORMAT A40
  SQL> COLUMN principal FORMAT A15
  SQL> COLUMN privilege FORMAT A10
  SQL> COLUMN is_grant FORMAT A8
  SQL> COLUMN status FORMAT A10
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  no rows selected
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  no rows selected
  SQL> CREATE USER testacl IDENTIFIED BY testacl;
  User created.
  SQL> GRANT CONNECT TO testacl;
  Grant succeeded.
  SQL>
  SQL> BEGIN
    2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL',true,'connect');
    3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
    4     commit;
    5  END;
    6  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  HOST                 LOWER_PORT UPPER_PORT ACL
  localhost                    25         25 /sys/acls/test_smtp.xml
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  ACL                                      PRINCIPAL       PRIVILEGE  IS_GRANT
  /sys/acls/test_smtp.xml                  TESTACL         connect    true
  After creating this ACL I test it like this:
  SQL> CONNECT testacl/testacl@testdb
  Connected.
  SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
  HOST                 LOWER_PORT UPPER_PORT PRIVILEGE  STATUS
  localhost                    25         25 connect    GRANTED
  SQL> DECLARE
    2     c utl_smtp.connection;
    3  BEGIN
    4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
    5     utl_smtp.helo(c, 'localhost');
    6     utl_smtp.mail(c, 'Oracle11.2');
    7     utl_smtp.rcpt(c, '[email protected]');
    8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
    9     utl_smtp.quit(c);
  10  END;
  11  /
  PL/SQL procedure successfully completed.
  SQL>
  This works fine and I receive the email correctly.  Now if I try to do the same thing for a role:
  SQL> CONNECT system/******@testdb
  Connected.
  SQL> BEGIN
    2     dbms_network_acl_admin.drop_acl('test_smtp.xml');
    3     commit;
    4  END;
    5  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  no rows selected
  SQL> CREATE ROLE testacl_role;
  Role created.
  SQL> GRANT testacl_role TO testacl;
  Grant succeeded.
  SQL> ALTER USER testacl DEFAULT ROLE ALL;
  User altered.
  SQL>
  SQL> BEGIN
    2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL_ROLE',true,'connect');
    3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
    4     commit;
    5  END;
    6  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  HOST                 LOWER_PORT UPPER_PORT ACL
  localhost                    25         25 /sys/acls/test_smtp.xml
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  ACL                                      PRINCIPAL       PRIVILEGE  IS_GRANT
  /sys/acls/test_smtp.xml                  TESTACL_ROLE    connect    true
  SQL>
  And now I test it again with the same user:
  SQL> CONNECT testacl/testacl@testdb
  Connected.
  SQL>
  SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
  no rows selected
  SQL> DECLARE
    2     c utl_smtp.connection;
    3  BEGIN
    4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
    5     utl_smtp.helo(c, 'localhost');
    6     utl_smtp.mail(c, 'Oracle11.2');
    7     utl_smtp.rcpt(c, '[email protected]');
    8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
    9     utl_smtp.quit(c);
  10  END;
  11  /
  DECLARE
  ERROR at line 1:
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at "SYS.UTL_TCP", line 17
  ORA-06512: at "SYS.UTL_TCP", line 267
  ORA-06512: at "SYS.UTL_SMTP", line 161
  ORA-06512: at "SYS.UTL_SMTP", line 197
  ORA-06512: at line 4
  SQL>
  I'm aware that role privileges doesn't apply inside procedures, functions or packages by default, but this is an anonymous block so it should use the active roles for the user.  I also tried adding a "dbms_session.set_role('TESTACL_ROLE');" at the beggining of the anonymous PL/SQL block but I got the same access error.
  Thanks in advance for any help you can give to me on this question, it would be very hard to grant the ACL to all the individual users as they are more than 1000, and we create more regularly.

  Thanks for your quick reply... I don't have a problem creating the basic ACL with the privileges granted for a user.  The problem appears when I try to create an ACL with privileges for a ROLE.  You can see here http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_networkacl_adm.htm#BABIGEGG than the official Oracle documentation states that you can assign the ACL principal to be a user or role:
  Parameter
  Description
  acl
  Name of the ACL. Relative path will be relative to "/sys/acls".
  description
  Description attribute in the ACL
  principal
  Principal (database user or role) to whom the privilege is granted or denied. Case sensitive.
  My issue is that when I try to create the ACL for a role it doesn't work.
  Have you ever created an ACL for a role? if so please send me an example or let me know which step I might be missing.  Cheers.

• Delivery notification for two way ports

  HI
  I am using a two way BasicHttp Adapter  for sending requests and receiving response from a Web service. I want to handle Delivery Notification errors but since it works only for one way ports how can i implement the same for my scenario Please advice.
  Regards
  Suresh

  Hi Suresh,
  Snippet below from the
  link should answer your specific question.
  Handling Delivery Failure Exception (using a request-response port)
  There is a great post
  by Naveen Karamchetti about this; this is the key steps…
  In order to catch an exception within your scope block in BizTalk while using a request-response port, you might have to do the following:
  Set the retry-count to 0 on your physical request-response port which you use to bind.
  Enable the flag Delivery Notification to ‘Transmitted’ on your logical request-response port within the orchestration.
  Catch the “Microsoft.XLANGs.BaseTypes.DeliveryFailureException” exception and handle it as you’re please.
  The Delivery Notification flag on the Send Port indicates that the orchestration must be NOTIFIED back, in case the message has not been received by the destination. Delivery Notification works only when
  the Retry Count set to 0. When a message cannot be delivered, a Delivery Failure Exception is raised and the exception needs to be handled by the Orchestration.
  Rachit
  Please mark as answer or vote as helpful if my reply does

• Enabling BW reports for a specific port

  Hi All,
  How to enable BW reports for a specific prot?.
  Our requirement is Report should run FIRST, if I type the URL manually with the port we configure in SICF.
  Thanks in Advance.
  Regards,
  Ravi Chelikani.

  Ravi,
  the port is configured per protocol (HTTP, HTTPS, etc) in transaction SMICM.
  Regards,
  Marc
  SAP NetWeaver RIG, US BI

• NO internet in the network except for two computers after installing ASA 5505

  Hi Guys,,,
  I dont know if any of you guys had a problem like this... I installed a CISCO ASA5505 with 50 user license  to my network as the gateway firewall. So ASA is acting as the gaeway router which is connected to a fibre circuit and also it gives DHCP to the network. The strange thing is that except for two computers rest does not have internet. I also have an asterisk phone system which works fine..
  I tried everything.... static IP's DHCP, DNS nothing worked. But strange enough two computers works fine and have internet.. but are no special computers. One is Win XP and the other one is Win7. When I troubleshoot the problem in win 7 on one of the computers it says
  "The remote device or resource won't accept the connection"
  I have no idea now... any help would be great...
  Thanks in advance

  Hello Amal.
  I hope the gateway of the comupters are configured as ASA.. Are you able to ping your gateway from the PC where you dont have access to internet and also check whether the translation is happening on ASA when you are trying to access the internet ( show xlate  | i 'local ip'
  It would be great if you could share the ASA config as well
  regards
  Harish.

• ITunes "Check for updates" don't work for two specific app

  I have iPhone 4S, and iTunes at Windows 7 PC. Clean install.
  I've bought an GPS navigation app, Turkey Navigation iGO Primo app, which was free at first release day. My problem is, when I click the button "Check for updates" at iTunes(PC), it don't show me any updates, but when I go to app's(iGO Primo) iTunes page, I see that new version released, and iTunes price button says "Update". So I can manually update the app, but iTunes can't automatically finds it. This symptom only occurs for two apps iGO Primo app and Google Search app.
  A friend of mine also bought the Primo app at same time as me, and she has no problem, iTunes can find updates automatically.
  I can delete the app from iTunes and download again, but no luck, no fix.
  Developer(NNG) and Apple technical support can't help me a bit.
  Maybe there is other apps at my library that has this problem, I don't check every app's page manually if an update released.
  Do you have any solutions?

  From the Store menu, select
            Check for Unfinished Downloads...

• How can I use the USRP to record a signal using its two RX port simultaneously?

  Hi.
   I am trying to record a signal using two horn antenna. The reason I need two antenna is to cover the wide frequency range (DC-6GHz). one antenna is covering DC-300MHz and the other one covers 300MHz-6GHz. So I need to use two RX port of USRP at the same time to record the signal. I have two questions:
  1. Does any USRP in the market capable of covering this range of frequency?
  2. Is it possible to use both RX port at the same time to record signals as I described? If not, how can make that happen?
  P.S. I have two NI2920 USRPs and two N210 USRPs in my lab. 
  Thanks in advance for your time.
  Sam.
  Solved!
  Go to Solution.

  Hi Sam,
  To answer your first question the USRPs that you have cannot reach the frequency range that you want. There is not a USRP, to my knowledge, that can reach this range in one device. 
  Also note that you cannot use two RX sessions for two different ports at the same time using LabVIEW and the USRP driver. If you want to use both RX lines you will have to run one session with one line, end the session, and then start a different session for your second RX line.
  Noah | Applications Engineer | National Instruments

• Material Ledger for two materials

  Hi,
  I need to run the Material Ledger for two specific materials. In CKMLCP not have the field to select the materials.
  In this case what should I do?
  hugs,
  Cristiane.

  Hi Cristiane,
  some steps in CKMLCP also have own transaction codes and these allow to be run fro selected materials
  CKMH Single-Level Price Determination
  CKMI post closing
  multi-level allows the material selection in the parameters when you go to edit - allow postprocessing options
  best regards, Udo

• How to disable network connections for an application

  Hi to all,
  I would like to know if there is any way a user can disable network connections for a specific application.
  Thank you,
  Xwang

  Yes, but I would like to block only a specific application, not all the traffic from the PC.
  I've found this "solution" which uses iptables on the net:
  "Add a group to your system (I use nonet myself), then add a rule to your output chain like this: -A OUTPUT -m owner --gid-owner nonet -j REJECT --reject-with icmp-net-unreachable Run the program for which you know in advance that you want to block, with sg (sg nonet "your_prog your_args")."
  Do you think is it right?
  Another suggestion was to use unshare to call the program disabling the net for that program only.
  The problem is that unshare is runnable only by root so, in case, I should turn on its setuid flag in order to execute the program as a normal user, but I don't know if it is safe to do that.
  Last edited by Xwang (2014-10-11 08:06:16)

• Unable to map master page gallery as network drive for migrated sitecollection

  Hi all,
  I am unable to map the masterpage gallery as network drive for design manager for a migrated site.
  This is a windows 2008 server r2 OS. Desktop experience in installed.
  I am able to map the master page gallery as network drive for two other site collections which is not migrated.
  But for the current migrated sitecollection, it throws the familiar error that it is unable to connect.... I already tried unistalling and reinstalling desktop experience.
  Kindly help.

  Hi sanjuv,
  According to your description, my understanding is that you can't map master page gallery in network drive for certain migrated site collection.
  If you can open the master gallery with explorer, it means the master page gallery really exists. I suggest you check if the path is valid in the network drive. You can find the detailed path information with the articles below:
  1.On the site for which you are creating a design, start Design Manager. (For example, on the Settings menu, choose Design Manager.)
  2.In the numbered list, select Upload Design Files.
  3.The Design Manager: Upload Design Files page contains the location of the Master Page Gallery. The location probably ends in /_catalogs/masterpage/. This is the location to which you will map a network drive.
  4.Make a note of the location of the Master Page Gallery, or copy it to the Clipboard.
  Here is a detailed article for your reference:
  Map a network drive to the SharePoint 2013 Master Page Gallery
  If the issue still exists , I suggest you can check the link below to troubleshooting the connection error with Network drive. You can try to install the kb of IE10 below to test if it works.
  https://support.microsoft.com/kb/2616712/en-au?wa=wsignin1.0
  https://support.microsoft.com/kb/2846960
  Best Regards
  Zhengyu Guo
  TechNet Community Support

• Opening specific ports for video

  Hi!
  I want to open some ports for one specific host on the inside network. I want the host to be able to call out to any host on the internet. What is the easiest way to do this?
  I have many public IP adresses so the inside host can easily be Natted with one of the public adresses.
  /Lajja1234

  Easiest way,
  Do a one to one translation and open the right ports on the Outside ACL..
  Just like 5 commands and that will do it

• Best way to avoid requirement for network ACL after upgrade to 11g

  Hi All,
  After upgrade from 10g to 11g, I found Network ACLs required to make code using SYS.UTL_SMTP to work. Otherwise there is an error: ORA-24247: network access denied by access control list (ACL).
  Do you know an elegant way to get rid of ACLs? I mean to open the network for all user's code, like it was on 10g, instead of checking what is actually needing it and doing specific ACLs for users. Database parameter disabling ACL restrictions seems natural option here, but it looks like Oracle not introduced such.
  Kind Regards,
  Artzaw

  I don't know of a way to disable ACLs, no.  I'd imagine that there probably is a hidden parameter that Oracle Support could direct you to.  I'm hard-pressed to imagine why you'd really want to disable that functionality, though.
  You can create an ACL that allows access to an arbitrary host on an arbitrary port (host => '*.*.*.*' and with NULL lower_port and upper_port values). 
  Justin

• One server for two networks

  Hello,
  I do not already have a Mac Server but I'm planning to buy one, but first of all I got a question.
  Is it possible (if the server has two or more ethernet ports) to divide the services on the different ports ?
  In my example I want to represent my homepage and other web services on the one ethernet port, that is connected to the web and on the other port I want to enable screen sharing, xgrid and so on to support the local network. I now want to know if it is possible to set up different options for every ethernet port.

  Is it possible (if the server has two or more ethernet ports) to divide the services on the different ports ?
  You can have (and use) as many ports as you like. Most of my servers have 4.
  The issue is in controlling the services. By default, each service will typically listen on all interfaces, meaning they're available from all networks.
  To do what you want requires a little tuning of each service to tell it how and where to run. The configuration is based on the service (which ports to run on) rather than the port (which services to support).
  The specifics varies by service. It''s easy, for example, to do this with Apache - just tell it the IP address for each site and you're done. It's relatively easy for most of the file sharing protocols. Off hand, I can't think what's involved in ARD or XGrid.
  Worst case, even if there isn't an easy mechanism for binding a service to one port, there's always the firewall which you can use to block traffic on the ports you don't want. Not a perfect solution, but it does help.

• "Network-related or instance specific error", Works OK for Administrator

  I've been handed a legacy .Net Windows application that was previously used on Windows XP, and asked to debug a few problems encountered on Windows 7 clients.  The original developers are all gone.  I'm down to only a single
  error -- a seemingly common one: 
  "A network related or instance-specific error occurred while establishing
  a connection to SQL Server. The server was not found or was not
  accessible. Verify that the instance name is correct and that SQL Server
  is configured to allow remote connections. (provider: Named Pipes
  Provider, error: 40 - Could not open a connection to SQL Server)"
  Curiously, this error only occurs for ordinary users.  When the application is started using "Run as Administrator" it connects to the database immediately.  We believe we can configure the app to always start as an administrator,
  but obviously we'd like to run it without that if we can.  However, I haven't seen any good suggestions why the database connection would only fail this one way.
  Any ideas?  I've seen at least one troubleshooting guide that suggested trying with Run as Administrator, but it didn't say how to proceed if that fixes it.  Am I just supposed to stop at this point?  If I was having a UI problem I might understand
  that some old apps just aren't going to work in Windows 7, but this is just connecting to the database.  Seems like we should be able to do this.  I just don't know what to check.
  Thanks in advance.
  EDIT:
  I have looked more closely at this, and perhaps there are more clues.  I use the same user account to log on to two Win7 machines. One is a developer workstation with VS10 installed. The other is representative of a client workstation the app will
  run on. My user account is actually an administrator on both machines.
  At runtime we invoke advapi32.dll logonuser impersonation to logon to SQL server with a dedicated account.
  What we're seeing is that I can run the app freely on the developer workstation.  Even with UAC on, and even if I am not using "run as administrator".  This may point to something about how the SQL drivers/provider are installed
  on that machine.
  When I run on the regular user workstation, even though I am an administrator myself, I must "run as administrator" to launch it. And when I do, I get a UAC prompt.  When we turn UAC off, of course, the app runs fine.

  Hi,
  I think you are in the similar case with:
  http://support.microsoft.com/kb/2009672
  By default SSIS always uses the low privileged token resulting in a failure when connecting to a SQL Destination. Full administrator access token is required in your case.
  Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7 or Windows Vista, the user’s full administrator access token is split into two access tokens:
  a full administrator access token and a standard user access token.
  During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because
  all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.
  After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. When a standard user logs on, only a standard user access token is created. This standard user access token is then
  used to start the desktop.
  To get around this, you may configure an application to always run elevated.
  http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx
  Thanks.
  Tracy Cai
  TechNet Community Support

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen